Study on Regulatory Aspects - ESA Business Applications Regulatory Study... · CISSP Certified...
Transcript of Study on Regulatory Aspects - ESA Business Applications Regulatory Study... · CISSP Certified...
Sate l l i te -Enhanced Telemedicine and eHealth for Sub -Saharan Afr ica
(eHSA) Programme
Study on Regulatory Aspects
Summary Report 16-07-2013
The work described in this report was done under ESA contract. Responsibility for the contents resides in the author or organisation that prepared it. The copyright in this document is vested in Greenfield Management Solutions. This document may only be reproduced in whole or in part, or stored in a retrieval system, or transmitted in any form, or by any means electronic, mechanical, photocopying or otherwise, either with the prior permission of Greenfield Management Solutions or in accordance with the terms of the ESA Contract N: 4000105500/12/NL/AD.
Summary Report: Study on Regulatory Aspects of eHealth Page 2 of 37
ESA Tender AO/1-6936/11/NL/AD
Contents
1. Abbreviations ....................................................................................................................... 4
2. Executive Summary .............................................................................................................. 5
2.1 Overall study goal .................................................................................................. 5
2.2 Study structure ...................................................................................................... 5
2.3 Main achievements ................................................................................................ 6
2.4 Linked initiatives .................................................................................................... 6
2.5 Implications ........................................................................................................... 6
3. Why regulate eHealth? ......................................................................................................... 7
4. Overview of the study on regulatory aspects ....................................................................... 7
4.1 Study benefits ........................................................................................................ 7
5. The Reference Regulatory Model (RRM) .............................................................................. 9
5.1 eHealth regulation priorities ................................................................................ 11
6. Global good practice .......................................................................................................... 12
6.1 Selected countries................................................................................................ 12
6.2 Completeness of the relevant regulatory framework ........................................... 12
6.3 Proven fertility of the regulatory framework ........................................................ 12
6.4 Challenges faced by the good practice countries .................................................. 13
6.5 Strengths, Weaknesses, Opportunities and Threats (SWOT) analyses ................... 13
7. The eHealth regulatory environment in SSA ...................................................................... 14
7.1 Key issues for developing eHealth regulation ....................................................... 14
8. The eHealth Regulation Readiness Index (RRI) ................................................................... 18
8.1 RRM index ........................................................................................................... 20
8.2 ITU and WHO index .............................................................................................. 21
8.3 Healthcare per capita spending ............................................................................ 21
8.4 The RRI ................................................................................................................ 22
8.5 General issues in all countries .............................................................................. 23
9. The roadmap for ready countries ....................................................................................... 25
9.1 Roadmap method for the ready countries ............................................................ 26
9.2 Essential roadmap activities ................................................................................. 26
9.3 eHealth regulation action plan ............................................................................. 27
9.4 eHealth regulation challenges .............................................................................. 29
9.5 Decisions for eHealth regulation .......................................................................... 30
9.6 Action plan for eHealth regulation ....................................................................... 30
Summary Report: Study on Regulatory Aspects of eHealth Page 3 of 37
ESA Tender AO/1-6936/11/NL/AD
9.7 Risk assessment for average rated countries ........................................................ 33
10. The roadmap for other countries ....................................................................................... 35
11. The eHealth regulation workshops ..................................................................................... 35
12. Conclusions ........................................................................................................................ 37
Summary Report: Study on Regulatory Aspects of eHealth Page 4 of 37
ESA Tender AO/1-6936/11/NL/AD
1. Abbreviations
AU African Union
AUC African Union Commission
BYOD Bring-your-own-device
BPMN Business Process Model and Notation
CISSP Certified Information Systems Security Professional
eHSA eHealth for Sub-Saharan Africa
ESA European Space Agency
HPO Healthcare Provider Organisation
ICT Information Communication Technology
ITU International Telecommunications Union
REC Regional Economic Community
RRI Regulatory Readiness Index
RRM Regulatory Reference Model
SSA Sub-Saharan Africa
SWOT Strengths, Weaknesses, Opportunities and Threats
WHO World Health Organization
WHO-AFRO World Health Organization - African Region
Summary Report: Study on Regulatory Aspects of eHealth Page 5 of 37
ESA Tender AO/1-6936/11/NL/AD
2. Executive Summary
2.1 Overall study goal
The eHealth regulation study is one of four horizontal studies that contribute to the planning phase of the satellite-enhanced telemedicine and eHealth for sub-Saharan Africa (eHSA) Programme. Its primary objective is to provide an overview of the eHealth regulatory framework needed for eHealth services. The study:
Provides an overview of eHealth regulation in 48 African countries
Suggests specific actions needed to implement a complete eHealth regulatory framework
Identifies the most promising scenarios for implementing fertilisation projects in the implementation phase of the eHSA Programme.
The goal of the eHSA Programme is to “enable the development of a satellite-enhanced eHealth and telemedicine infrastructure for the benefit of the Sub-Saharan African region”. The programme is a key recommendation of the Telemedicine Task Force, a group which was set up to develop a detailed understanding of telemedicine opportunities in SSA and formulate recommendations for implementation.
The programme emphasises strong African ownership, contribution to United Nations’ Millennium Development Goals (MDGs), and support to counteract the workforce shortage in the region.
2.2 Study structure
The study on eHealth regulation is one of four horizontal studies that address aspects needed to support successful eHealth initiatives. The three other studies address governance, interoperability and sustainability. Each study addresses the four thematic eHealth areas of the eHSA Programme: eCare, eLearning, eSurveillance and eAdministration/ eGovernance.
The study on regulatory aspects deals with seven tasks to:
1. Develop a Reference Regulatory Model (RRM) for eHealth 2. Identify worldwide good practice to fertilise the eHealth roadmap 3. Describe the current eHealth regulatory environment in sub-Saharan Africa (SSA) 4. Critically review the eHealth SSA regulatory environment using a Regulation
Readiness Index (RRI) 5. Propose a roadmap for countries that are ready to develop their eHealth regulation 6. Propose a roadmap for other countries 7. Organise eHealth regulation workshops to engage with African countries and
promote the use of the study findings.
Each of these is summarised in separate sections below.
Summary Report: Study on Regulatory Aspects of eHealth Page 6 of 37
ESA Tender AO/1-6936/11/NL/AD
2.3 Main achievements
The high-level achievements and findings for the seven main tasks are:
1. The RRM was developed and instantiated for all types of eHealth. It includes 64 eHealth regulatory aspects, grouped into six eHealth regulation aspects.
2. Five good practice countries were identified: Brazil, Canada, Estonia, Malaysia and Norway. They provided performance measures for the 64 eHealth regulatory aspects.
3. The current eHealth regulatory environment in SSA was reviewed. It lags behind the five good practice groups on all six eHealth regulation aspects. This is particularly because SSA relies primarily on telecommunications, data protection legislation and cyber-security legislation, rather than specific eHealth regulations.
4. Ten SSA countries were classified as ready to develop eHealth regulation using a RRI that comprises each country’s: RRM position, information society and eHealth maturity using the International Telecommunications (ITU) information development index and the World Health Organization’s (WHO) eHealth survey, and healthcare spending per capita.
5. A roadmap was developed for the ten ready countries. It has a five-year horizon with the first two years assigned to developing eHealth regulation processes, organisations and resources and compliance, then expanding specific eHealth regulation from year three.
6. A roadmap was developed for the other countries. It has a five-year horizon with the first four years assigned to developing eHealth regulation processes, organisations, resources and compliance, then expanding specific eHealth regulation from year five as they expand their eHealth initiatives.
7. Countries that attended the eHealth regulation workshops reported enthusiasm for the study and committed themselves to taking the initiatives forward in the steps proposed by the roadmap.
2.4 Linked initiatives
International relations initiatives established during the study include:
1. Commitment from the African Union Commission (AUC) to contribute to coordination of communication with countries and using the study to develop its eHealth regulation policies and initiatives for the whole of Africa
2. Commitment from WHO-AFRO to support dissemination and promote the study as part of its eHealth strategy
3. Local arrangements for the study team to provide modest, short-term support to some ready countries after the study’s May 2013 conclusion, including launch of a web based platform for sharing information about eHealth in Africa, which will be maintained by NGO TinTree International eHealth.
2.5 Implications
There are three critical findings from the study. The first is that eHealth regulation in SSA countries lags behind the good practice countries by some 45%. The second is that ten SSA countries, about 21%, are closer to good practice countries and are more ready for eHealth
Summary Report: Study on Regulatory Aspects of eHealth Page 7 of 37
ESA Tender AO/1-6936/11/NL/AD
regulation than the other SSA countries. Third these ready countries need about five years to assemble eHealth regulation priorities, processes, organisations, resources and legislation. Taking all three findings together, it shows that eHealth regulation is a long-term initiative for SSA.
3. Why regulate eHealth?
Two workshops on the findings of the study with selected SSA countries identified a common challenge: making the case for eHealth regulation in order to secure the processes, organisations, resources and legislation needed to implement the regulations. The question “why regulate eHealth?” needs an answer. There are several reasons. Two drivers of eHealth regulation identified at the workshops were to:
Improve and sustain security to respond to increasing challenges
Develop the eHealth market by enhancing the role of ministries of health, encouraging effective competition between eHealth suppliers, and increasing certainty and market stability for suppliers.
There are many other reasons to strengthen eHealth regulation, which combine to enable decision makers to set clear goals, strategies, priorities and objectives for eHealth regulation. Examples are:
Protect patients and citizens using services that rely on eHealth
Ensure that countries can expand sustainable eHealth successfully and economically for the benefit of patients, citizens and the healthcare system
Clarify links between eHealth regulation and the regulation of the healthcare system
Help to strengthen the healthcare system
Ensure effective collaboration with other countries.
eHealth regulation is distinct from other regulatory efforts that are critical to healthcare service provision, though it frequently needs to interface with them. Examples of related healthcare issues requiring regulation are:
Access – expand access to healthcare services
Quality – ensure quality of healthcare services
Redress – deal with specific grievances between patients, citizens and communities against healthcare professionals or health professional organizations.
These principles apply equally and consistently to ESA’s four eHealth categories of eLearning, eCare, eSurveillance and eAdministration/eGovernance.
4. Overview of the study on regulatory aspects
4.1 Study benefits
The study will enable SSA countries to strengthen their eHealth regulatory environments, to answers questions such as:
Summary Report: Study on Regulatory Aspects of eHealth Page 8 of 37
ESA Tender AO/1-6936/11/NL/AD
What regulation do I need for my telemedicine service?
I'm planning an electronic patient record system for all our hospitals, so which regulations do I need now?
I have an unregulated, multi-national eSurveillance initiative, so what regulations do I need in place over the next four to five years?
I want my health workers to use eLearning more, so what regulations do I need?
We need to improve our billing performance, so what regulations do I need to use aggregated workload data with case-mix groupings?
Addressing questions like these needs three broad eHealth regulation categories:
Generic eHealth regulations that fit most, or all countries
eHealth regulations specific to each country’s needs for national and cross-border regulations
Regional, international and global regulations.
The study has many components that have complex links. Figure 1 shows an overview of the eHealth service and eHealth regulatory environments addressed in the study.
Figure 1: Overall view of the eHealth regulation study
Countries’ eHealth Initiatives
Countries’ eHealth
Priorities
eHealth Services
RRM
eHealth Regulatory
Environment
Ready Countries
Countries’ eHealth
Regulation Priorities
Ready Countries
Countries Not Yet Ready
Countries’ eHealth Regulation Initiatives
eHealth Regulation Readiness Assessment
Countries Not Yet Ready
Generic Road Map
Continuous eHealth Regulation Development
Regulatory Environment Services
AU, NEPAD, RECs, WHO eHealth
Regulation Priorities
AU, NEPAD, RECs, WHO eHealth
Priorities
SSA Country Reviews Legend:
Summary Report: Study on Regulatory Aspects of eHealth Page 9 of 37
ESA Tender AO/1-6936/11/NL/AD
The RRM is based on an overarching principle that eHealth regulation should be relevant to each country’s needs, not designed to match regulation in litigious, developed countries. This principle applies to the entire study. Relevance depends extensively on identifying and building from each country’s current regulatory coverage and eHealth profile. The study uses the RRM and RRI for SSA countries to identify each country’s opportunities to adopt and develop eHealth regulation to support the provision of eHealth services.
Countries attending the eHealth regulation workshops were clear that reaching a position of continuous eHealth regulation development is a long-term goal. They see the need for sustained support and capacity building to reach it.
5. The Reference Regulatory Model (RRM)
This RRM provides a mechanism to identify which regulations apply to which issues in eHealth service implementation and provision. The various regulatory issues identified in eHealth service provision in the RRM provide a comprehensive specification of how regulation affects the different types of eHealth services. The specification includes descriptions of the extent to which regulation affects the implementation and provision of eHealth. For instance, telecommunication licensing might affect the implementation environment of eHealth services, whereas provisions for telecommunication tariffs in regulation will directly affect the operation of some eHealth services and the extent of eHealth service uptake.
The structure enables the RRM to identify the types of regulation needed for eHealth services. It also provides the foundation for extended analysis as countries expand their eHealth regulatory aspects and enables the management of the complex relationships that emerge.
Figure 2: The RRM cube
Figure 2 shows the RRM as a split cube, a four-dimensional object with each face representing a two dimensional relationship. The relationships are between:
eHealth categories
Summary Report: Study on Regulatory Aspects of eHealth Page 10 of 37
ESA Tender AO/1-6936/11/NL/AD
eHealth services
Regulatory aspects
Specific regulations.
The need for four dimensions arises because of the many-to-many relationships between each of the four variables. For each eHealth Category there is more than one eHealth Service applicable and each eHealth Service may appear in more than one eHealth Category. This pattern follows for the relationship between eHealth Services and Regulatory Aspects, and between Regulatory Aspects and Regulations.
Two main sets of data are collected for the RRM. One is about the eHealth regulatory environment, the other about eHealth services in SSA. Overall, the RRM describes a structured end-to-end framework of regulatory aspects and processes for SSA countries to consider when implementing and operating their eHealth services. It provides the means to identify and analyse the regulation and legislation needed to provide the supporting environment for eHealth. It includes regulations that comply with country’s existing and expected laws, rules, policies and practices. Figure 3 shows how the RRM structure relates to the overall eHealth regulatory environment.
Figure 3: Overview of the RRM in the eHealth regulatory environment
The RRM provides data for comparative analyses between the current regulatory environment in SSA countries and the good practices from the regulatory situation in five countries identified worldwide as part of global best practice analysis. It comprises two main parts: eHealth laws and regulations as input, and draft eHealth regulations as outputs.
Summary Report: Study on Regulatory Aspects of eHealth Page 11 of 37
ESA Tender AO/1-6936/11/NL/AD
Structural metadata generated about the regulatory environment for implementing the various types of eHealth supports RRM development. The metadata defines the structural components that make up the RRM’s regulatory environment. The identified business processes in the provision of the various types of eHealth services and their related business rules and regulatory aspects that match their appropriate locations in the eHealth environment are inputs to the RRM. For its output, the RRM provides generic draft eHealth regulations with prospective regulation that needs considering when implementing and operating eHealth services.
A set of business process models and notations (BPMN) are in the RRM for each of ESA’s four eHealth categories of eCare, eLearning, eSurveillance and eGovernance/ eAdministration. These business process models parameterise to fit the various types of eHealth.
5.1 eHealth regulation priorities
The study has identified numerous topics for eHealth regulation. The higher priorities include:
Access to and ownership of data
Security and access to clinical information systems by patients and care providers
Privacy and confidentiality
Informed consent for data use
Data ownership
Access rights to patient data
Integrity of data
Patient safety
Secure transmission of patient data
Electronic and physical security
Reliability of electronic portable medical devices used with eHealth
Accuracy and reliability of online information for patients
Sustainability of accuracy and integrity of electronic patient medical records
Validity and reliability of clinical decision support systems
Quality of care using eHealth processes
Availability of efficient and effective communication systems for transferring patient data
Reliability and dependability of telemedicine and telemonitoring.
These are too many for an SSA country to pursue simultaneously. Pragmatic decisions on eHealth regulatory priorities are essential together with the need to set up eHealth regulation processes, organisations and resources.
A priority may be to select privacy, confidentiality, security and standards as sufficient to deal with over the next three to five years and to sustain these into the longer-term.
Summary Report: Study on Regulatory Aspects of eHealth Page 12 of 37
ESA Tender AO/1-6936/11/NL/AD
6. Global good practice
6.1 Selected countries
Five countries were identified as demonstrating good practices in eHealth regulation: Brazil, Canada, Estonia, Malaysia and Norway. Experienced representatives of each country provided detailed information about their eHealth regulatory environments. The different kinds of generic eHealth regulations were listed and classified and used to reinforce the RRM. This provided a checklist to ensure that the RRM covered the full range of eHealth regulations, services and workflows.
6.2 Completeness of the relevant regulatory framework
All five good practice countries have substantially complete eHealth regulatory frameworks. They have established national foundations for eHealth and provide strong regulatory frameworks in five areas:
1. Identification and authentication: the countries designed and implemented an identification and authentication regime for health information as a fundamental part of secure and reliable access and shared health information.
2. Information protection and privacy: the countries established a robust privacy and regulatory regime to authorise specific eHealth initiatives and ensure appropriate privacy safeguards and consent processes for access to, and use of health information and participation in eHealth initiatives.
3. National eHealth information standards: most of the selected countries have a national programme to define eHealth information standards to underpin the consistent and accurate collection and exchange of health information. This involves accelerating the implementation and adoption of the eHealth standards and identifying and prioritising the next tranche of national eHealth standards.
4. Investment in information communication technology (ICT) infrastructure: the relatively poor quality of computing infrastructure of PCs, network connectivity and core patient, clinical and practice management systems across many countries worldwide is barrier to eHealth take-up. The good practice countries established mechanisms to encourage healthcare providers to implement and maintain an acceptable computing infrastructure baseline.
5. National broadband services: the countries collaborate with relevant government and telecommunications organisations to extend planned broadband connectivity infrastructure to all of their healthcare providers.
6.3 Proven fertility of the regulatory framework
The success of an eHealth system depends on the success of:
eHealth regulations
Established eHealth programmes and initiatives
Governmental support
Sustainable funding.
The five selected countries fulfil these four criteria satisfactorily.
Summary Report: Study on Regulatory Aspects of eHealth Page 13 of 37
ESA Tender AO/1-6936/11/NL/AD
6.4 Challenges faced by the good practice countries
All five countries have well-developed, modern health systems and are dealing with numerous similar challenges. One is the challenge to the traditional doctor-patient relationship. The Internet has made an impact on this relationship and patients can access unprecedented amounts of health information of varying quality about many types of illnesses and disorders. Regulating this service cuts across jurisdictions and is a challenge for many types of eServices in many types of commercial and business activities. Solutions are proving elusive.
Another is the challenge to the liability of healthcare professionals where, through the Internet, an individual can contact and create a professional relationship with a healthcare professional and provider in cyberspace with accompanying risk management considerations. This has many features, including:
Is a provider-patient relationship established during telemedicine consultation?
What is the appropriate standard of care for telemedicine?
What is a provider’s liability for a missed diagnosis due to technological, rather than human error?
What injuries might a patient suffer, or claim to suffer, which would stem from long distance healthcare that relies on eHealth services?
Modern information technologies have the potential for the boundaries of the body of knowledge to be expanding constantly, thus, at what point will health information become part of the body of knowledge of which a reasonable health professional would have been aware?
Since telecommunications allow medicine to be quickly and efficiently practiced across state boundaries, how are jurisdictional issues settled around healthcare providers’ liabilities?
What is the scope of medical practitioners’ duties of confidentiality of patient information in telemedicine consultations?
Are healthcare providers aware of the privacy and confidentiality issues that arise in the use of email to discuss sensitive health information?
Challenges to the right of privacy is a major issue for eHealth initiatives where modern computing capabilities mean that huge quantities of data are stored, sorted and accessed by large numbers of people in ways that were not possible before. How can adequate security and privacy arrangements be set in place for handling personal information?
How can eHealth regulators create confidence among consumers and users of both networked and non-networked industries?
How can eHealth regulators promote a secure electronic environment in line with Multimedia Super Corridor objectives?
How can eHealth regulators facilitate the registration of healthcare professionals where the advent of eHealth, provision of telemedicine services across state borders and national borders creates issues for the registration of healthcare professionals?
6.5 Strengths, Weaknesses, Opportunities and Threats (SWOT) analyses
For each good-practice country, eHealth regulatory strengths, weaknesses, opportunities and threats (SWOTs) were explored and described. Each issue that was identified for a SWOT
Summary Report: Study on Regulatory Aspects of eHealth Page 14 of 37
ESA Tender AO/1-6936/11/NL/AD
component was counted as 1, allowing comparison of countries strengths, weaknesses, opportunities and threats.
The SWOT analyses reveal that the number of strengths outweigh the number of weaknesses by a considerable margin, some 7.1 times in total. The external view is different. There are twice as many threats as opportunities.
Developed eHealth regulation offers reasonable strengths (54% of all SWOTs) to countries’ eHealth services, minimises their weaknesses and creates new opportunities. It does not remove all threats (25% of all SWOTs).
Whilst developing eHealth regulation is worth it, policy makers and regulatory bodies should not be complacent. eHealth regulation needs a continuing effort to take the modest opportunities and minimise the number of threats.
Figure 4 shows a summary of the number of SWOTs. The percentages show the proportionate spread of the number of strengths, weaknesses, opportunities and threats identified for each country. The sum of these four values is the full SWOT profile for each country, which is 100%.
Figure 4: Summary of SWOT analyses of five Good Practice Countries
7. The eHealth regulatory environment in SSA
7.1 Key issues for developing eHealth regulation
All SSA countries have telecommunications laws and regulations that deal with competition and the market. Many have laws dealing with computer misuse, data protection and cyber-crime. The study provides evidence that confirms that eHealth regulation is not in place, and therefore needs to be developed virtually from scratch.
EHealth Regulation SWOT Overview
0%
15%
30%
45%
60%
75%
90%
S W O T
Brazil Canada Estonia Malaysia Norway
Summary Report: Study on Regulatory Aspects of eHealth Page 15 of 37
ESA Tender AO/1-6936/11/NL/AD
Most constitutions include rights to privacy, providing a core component of eHealth regulation. This limited regulatory situation means that only a few countries are classified as ready.
The study identified that most SSA countries have four main issues in common:
Limited eHealth regulation, if any
Limited eHealth initiatives compared to other global regions
A need for long-term timescales that include establishing processes, organisations and resources for eHealth regulation
Considerable limitations on the availability of finance for eHealth regulation.
The regulatory environment for eHealth comprises healthcare, telecommunications, data protection and cyber security legislation. Figure 5 summarises the main links.
Figure 5: The eHealth regulatory environment
The eHealth regulatory environment was analysed and relevant eHealth services described for each of the four eHealth categories. This data, shown in Table 1, is included in the RRM.
Table 1: eHealth Services for each eHealth category
eCare eLearning eSurveillance eAdministration/
eGovernance
1. Electronic medical record systems/patient management systems
2. Electronic patient monitoring systems
3. Electronic laboratory/imaging/ other diagnostic systems
4. Electronic pharmaceutical/prescription/dispensing systems
5. Electronic decision
1. Internet based healthcare training systems that support a range of learning activities including Continued Professional Development at all levels (CPD)
2. Remote interactive healthcare training
3. Computer simulated healthcare training
4. Virtual classroom
1. Disease outbreak monitoring/notification systems
2. Health service reporting systems
3. Geographic information systems for health
4. Modelling systems for health
5. Statistical systems for health
1. Technology regulation
2. Healthcare standards
3. Technology standards
4. Interoperability
5. Integration
6. Health management information systems, including aggregation for reporting performance indicators
7. Electronic patient billing systems
Regulatory environment
Influence of culture, custom and customary law (for 31 SSA countries customary law is formalized in the constitution)
Services
Health Laws
eHealth Services
eHealth
Regulation
Data Protection Laws
Telecommunications Services
Cyber Laws
Telecommunications
Regulation
Telecommunications Laws
Summary Report: Study on Regulatory Aspects of eHealth Page 16 of 37
ESA Tender AO/1-6936/11/NL/AD
support systems/artificial intelligence systems
6. Vaccination and immunization
7. Electronic patient registration systems
8. Electronic patient tracking systems
9. Electronic logistics and supply chain systems
10. Telemedicine systems
11. Telemonitoring systems
12. Electronic biomedical devices
13. Electronic knowledge management systems
14. Electronic patient reminder/notification/alert systems
15. Patient information websites
16. Electronic public health awareness systems
healthcare training
5. Digital media healthcare training content
6. Electronic/digital broadcast training for health
7. eResearch and related clinical aspects
8. Electronic patient insurance systems
9. Skills and expertise
10. Governance/coordination centres
11. Standard operating procedures
12. Adoption guidelines
13. eHealth advocacy
14. Data warehousing/data mining/business intelligence systems for health
The final RRM has six eHealth regulatory aspects, with 64 sub-aspects, as shown in table 2. This template is used to compile the actual eHealth regulatory coverage for each SSA country.
The study evaluated each country’s eHealth regulatory environment and determined, for each of the 64 sub-aspects, whether it was covered in some way by existing legislation (score 1) or not (score 0). Each country’s overall eHealth regulatory coverage was calculated by counting the number of the 64 sub-aspects covered and converting this to a percentage: proportion of the sub-aspects covered. The evaluation did not test the quality of coverage or the extent of coverage, but simply whether existing law could be identified to regulate each sub-aspect.
Table 2: eHealth regulatory aspects and sub-aspects
Data & Information
Storage Access to Data
Data Communication
Technology User Data Provision of
eHealth Services
Aggregation Authorization Liability Standards Registration Definition of Services
De-identification Authentication Security Reliability Notification Licensing
Anonymisation Availability Reliability Validity Consent Accreditation
Coding (Cryptography)
Disclosure Accuracy Availability Access Limitations of non-accreditation
Security Equity Availability Licensing Compliance Cross-border
Integrity Ethics Intention Accountability Master Indices Quality of Care
Interoperability Purpose of Use Accountability Certification Administration Rights
Summary Report: Study on Regulatory Aspects of eHealth Page 17 of 37
ESA Tender AO/1-6936/11/NL/AD
For SSA countries that do regulate a sub-aspect, most derive it from legislation and regulations for telecommunications, data protection, computer misuse and cyber-security, rather than through specific eHealth regulations. This was regarded as sufficient to regard a sub-aspect as covered. However, the scope and effectiveness of these combined regulations applied to health is generally lower than those of the good practice countries, where sub-aspect coverage implies specific eHealth regulation.
There are considerable differences between the eHealth sub-aspect coverage for good practice and SSA countries. Table 3 shows that the average coverage for SSA countries is less than half that for good practice countries.
Table 3: Comparison of eHealth regulatory aspects coverage
Regulation Aspects Good practice
countries coverage 48 SSA countries’
coverage
Data and information storage 60% 18%
Access to data 57% 20%
Data communication 63% 15%
Technology 70% 15%
User data 53% 19%
Provision of eHealth services 67% 9%
Average 62% 16%
The combination of the lower percentage sub-aspect coverage for SSA countries in Table 3 and the limited scope and effectiveness of their eHealth regulations points to a set of three choices for SSA countries. They could assign priority to:
Expanding the number of sub-aspects covered to match the good practice levels
Improving the scope and quality of the current eHealth regulations
Developing both together.
All options rely on countries establishing their processes, organisations and resources first, as the countries at the two eHealth regulation workshops proposed.
Quality Cross-border Quality Ownership Obligations
Accuracy Functionality Confidentiality Liability
Standards Accreditation of Vendors
Digital Signatures
Ownership Rights
Privacy Deletion
Confidentiality Retention
Deletion Culture
Retention Common Law
15 7 8 10 15 9
Summary Report: Study on Regulatory Aspects of eHealth Page 18 of 37
ESA Tender AO/1-6936/11/NL/AD
Whilst effective telecommunications is a foundation for eHealth, the telecommunications regulatory environment’s market focus provides limited experience for eHealth regulation because the overall set of requirements is different for the eHealth case, which includes:
Privacy
Confidentiality
Data integrity and quality
Sharing data about citizens and patients, between professionals and entities
Standards for health information
Accrediting Health suppliers and their solutions
Physical security
Electronic security
Aggregating data
Transferring data.
8. The eHealth Regulation Readiness Index (RRI)
The study identified that readiness for eHealth regulation has several components, including the existing regulatory environment, maturity and usage of ICT generally, existence of eHealth services and investment in healthcare. A country’s use of general electronic information and its eHealth status provides an indication of its relative need, and readiness for eHealth regulation. The analysis includes the overall eHealth dimension.
Many countries have several eHealth initiatives. These are primarily in segments of healthcare rather than across the whole health system. An increasingly common feature is Health Management Information Systems (HMIS), although they vary in their scope and reliance on linked paper-based information.
The study team could not find any indices for eHealth regulation readiness. The RRI is a combined index made up of the sum of the following sub-indices:
eHealth regulatory coverage in the RRM
ITU Information Development Index (ITU 2011)
WHO eHealth survey (WHO 2011)
Healthcare spending per capita in 2008 (WHO 2011).
The RRM index measures the current, estimated percentage coverage of eHealth regulation sub-aspects shown in tables 2 and 3. There are 64 regulatory aspects organized in six categories. The average coverage for SSA countries is about 16% of the 64 eHealth regulatory sub-aspects, mostly for the eHealth regulatory environment supported by telecommunications and data protection, but with few specific eHealth regulations. The equivalent rate for good practice countries is about 61%, which includes several eHealth regulations. The relative presence of these sub-categories in each country provides an indication of its regulation development and is one measure of readiness.
The ITU Information Development Index and the WHO eHealth survey provide an indication of the relative status of each country’s information and eHealth development. It is part of the country reviews, and is a proxy for the information developments’ readiness for
Summary Report: Study on Regulatory Aspects of eHealth Page 19 of 37
ESA Tender AO/1-6936/11/NL/AD
regulation. The combined ITU-WHO index is an aggregation of the two indices to show the relative information and eHealth development status of SSA countries.
The healthcare per capita spending index is a proxy for countries’ potential to afford the resources needed for new initiatives for eHealth regulation processes, organisations and activities. Financing eHealth regulation requires sustainable finance. It competes with other healthcare priorities for resources, such as more doctors and nurses, more drugs and new drugs. Financing eHealth regulation is very demanding for countries with low healthcare spending levels. It may be marginally less demanding for countries that spend relatively more on healthcare.
Countries with the highest readiness are countries with a proven mix of:
Existing substantial investment in eHealth
Planned substantial investment in eHealth
Existing legislation for telecommunications regulation and data protection
A proxy for potentially sustainable finance for eHealth regulation
An RRI score that is more than the RRI average plus one standard deviation rating on the combined index.
Data from the RRM, external country surveys by the ITU and the WHO, and data from the RRM completed by the study team provide the data for the ranking. The average scores of the ready and not ready countries differ for each index. Figure 6 shows a comparison.
Figure 6: Comparison of Average Scores of Ready and Not Ready Countries
The RRM and spend per head indices show the biggest, considerable differences between ready and not ready countries. The ITU+WHO index shows that the difference is 60% of the not ready countries average score. For the combined index, the difference is 80%. These differences indicate a reasonable degree of difference between the two country types of ready and not ready.
0.00
1.00
2.00
3.00
4.00
5.00
6.00
RRM ITU+WHO US$ Spend Combined
Me
an S
core
s
Indices
ESA SSA Ready and Not Ready Differences for Regulatory Indices
Ready Countries Not Ready Countries Difference
Summary Report: Study on Regulatory Aspects of eHealth Page 20 of 37
ESA Tender AO/1-6936/11/NL/AD
The individual indices and the combined index to which they contribute are described below. The figures provided are not intended to give a detailed country by country view, but rather to illustrate visually the difference in performance of the cohort of countries designated ready defined as above the mean plus one standard deviation, compared to the rest of the countries, making up a cohort designated not ready, and below the mean plus one standard deviation.
The ranking reflects the criteria of:
Readiness of each country to adopt eHealth services from a regulatory perspective
Regulatory constraints and degrees of risk they face in implementing and operating eHealth services and their criticality
Regulatory initiatives under discussion, either on the political agenda, or in the process of approval, including accountability of stakeholders to enforce initiatives
Funding sources and their connection to the regulatory environment
External information from surveys that quantify each country’s information status.
8.1 RRM index
Figure 7 shows the rank order and scores of the RRM index. Nine countries score above the mean of 0.36 plus the standard deviation of 0.19. Three of these, Ghana, Namibia and Cape Verde, score above the mean plus one standard deviation. They have greater coverage of eHealth regulatory sub-aspects than the subsequent six ready countries. Countries scoring below the mean are shaded beige.
Figure: 7 RRM Index Rank
0.00
0.10
0.20
0.30
0.40
0.50
0.60
0.70
0.80
Gh
ana
Nam
ibia
C
ape
Ver
de
Ken
ya
Zim
bab
we
Za
mb
ia
Eth
iop
ia
Cam
ero
on
R
wan
da
Mau
riti
us
Uga
nd
a M
oza
mb
iqu
e A
ngo
la
Bo
tsw
ana
Sen
egal
M
alaw
i N
iger
ia
Seyc
hel
les
Mal
i So
mal
ia
Gu
inea
D
RC
Li
ber
ia
Sud
an
Togo
Sa
o T
om
e &
Pri
nci
pe
Tan
zan
ia
Bu
run
di
Leso
tho
N
iger
So
uth
Su
dan
Th
e G
amb
ia
Erit
rea
Ben
in
Bu
rkin
a Fa
so
Cen
tral
Afr
ican
…
Ch
ad
Co
ngo
Rep
ub
lic
Equ
ato
rial
Gu
inea
G
abo
n
Gu
inea
-Bis
sau
M
adag
asca
r Si
erra
Leo
ne
Swaz
ilan
d
ESA SSA eHealth Regulation Readiness RRM Coverage Scores
Summary Report: Study on Regulatory Aspects of eHealth Page 21 of 37
ESA Tender AO/1-6936/11/NL/AD
8.2 ITU and WHO index
Seventeen countries score above the mean of 3.06 plus the standard deviation of 1.05. They are shaded green in the figure above. Nine countries are above one standard deviation above the mean, shaded pale green in figure 8. The top three, Mauritius, Botswana and Seychelles, stand apart as currently having greater information maturity. The long, sloping tail of not ready countries is clear to see. Countries scoring on or below the mean are shaded beige.
Figure 8: ITU+WHO Index Rank
8.3 Healthcare per capita spending
eHealth regulation requires financial resources. These are very scarce in SSA healthcare. Few, if any, will be able to allocate significant additional resources to eHealth regulation from government sources or from within healthcare budgets. This was confirmed at the eHealth Regulation Workshops. The best possibility is to allocate a small resource for an eHealth regulation team in ministries of health. An indication of the relative scope to achieve this is to use the estimated spending per head on healthcare as a proxy.
Eight countries, 17%, score above the mean of 0.02 as share of the total SSA spending per capita, plus one standard deviation of 0.03. These are shaded green. Of these, the top five, Equatorial Guinea, Botswana, Mauritius, Seychelles and Gabon score above the mean plus one standard deviation and are shaded pale green. They stand apart as currently having more healthcare finance per head. Countries scoring on or below the mean are shaded beige. The long, sloping tail of lower healthcare financing is clearly visible. Namibia, Swaziland and Angola are in between.
0.00
1.00
2.00
3.00
4.00
5.00
6.00
7.00
8.00
Mau
riti
us
Bo
tsw
ana
Seyc
hel
les
Nam
ibia
K
enya
G
han
a R
wan
da
Sen
egal
U
gan
da
Cap
e V
erd
e M
oza
mb
iqu
e G
abo
n
Mal
i N
iger
ia
Zim
bab
we
Sud
an
Sier
ra L
eon
e C
AR
Eq
uat
ori
al G
uin
ea
Mal
awi
Som
alia
So
uth
Su
dan
Th
e G
amb
ia
Mau
rita
nia
D
jibo
uti
Za
mb
ia
Co
te d
'Ivo
ire
An
gola
Sw
azila
nd
Ta
nza
nia
M
adag
asca
r To
go
Bu
run
di
Bu
rkin
a Fa
so
Cam
ero
on
Le
soth
o
DR
C
Lib
eria
Sa
o T
om
e &
Pri
nci
pe
Co
ngo
Rep
ub
lic
Co
mo
ros
Ben
in
Erit
rea
Eth
iop
ia
Gu
inea
-Bis
sau
C
had
G
uin
ea
Nig
er
ESA SSA eHealth Regulation Readiness ITU+WHO Index
Summary Report: Study on Regulatory Aspects of eHealth Page 22 of 37
ESA Tender AO/1-6936/11/NL/AD
Figure 9: Spending Per Head Index Rank
8.4 The RRI
Figure 10: RRI Rank
0
200
400
600
800
1 000
1 200
1 400
1 600
1 800
Equ
ato
rial
Gu
inea
B
ots
wan
a M
auri
tiu
s Se
ych
elle
s G
abo
n
Nam
ibia
Sw
azila
nd
A
ngo
la
Djib
ou
ti
Cap
e V
erd
e Su
dan
Sa
o T
om
e an
d P
rin
cip
e Le
soth
o
Nig
eria
U
gan
da
Cam
ero
on
R
wan
da
Sier
ra L
eon
e C
on
go
Sen
egal
So
uth
Su
dan
C
ote
d'Iv
oir
e G
uin
ea-B
issa
u
Zam
bia
B
urk
ina
Faso
Th
e G
amb
ia
Mau
rita
nia
G
han
a K
enya
To
go
Tan
zan
ia
Ben
in
Mal
awi
Ch
ad
Gu
inea
M
ali
Lib
eria
M
oza
mb
iqu
e B
uru
nd
i Et
hio
pia
M
adag
asca
r N
iger
C
om
oro
s D
RC
C
AR
Zi
mb
abw
e So
mal
ia
Erit
irea
ESA SSA eHealth Regulation Readiness US$ Spend Per Head
0.00
1.00
2.00
3.00
4.00
5.00
6.00
7.00
8.00
Mau
riti
us
Bo
tsw
ana
Seyc
hel
les
Cap
e V
erd
e G
han
a Se
neg
al
Rw
and
a N
amib
ia
Uga
nd
a K
enya
Zi
mb
abw
e
Gab
on
M
ali
Mo
zam
biq
ue
Nig
eria
Su
dan
Za
mb
ia
Sier
ra L
eon
e Eq
uat
ori
al G
uin
ea
Mal
awi
Som
alia
A
ngo
la
Sou
th S
ud
an
Cen
tral
Afr
ican
…
The
Gam
bia
D
jibo
uti
M
auri
tan
ia
Co
te d
'Ivo
ire
Swaz
ilan
d
Cam
ero
on
Ta
nza
nia
To
go
Mad
agas
car
Eth
iop
ia
Bu
run
di
Bu
rkin
a Fa
so
Leso
tho
D
RC
Li
ber
ia
Sao
To
me
& P
rin
cip
e C
on
go R
epu
blic
C
om
oro
s B
enin
Er
itre
a G
uin
ea-B
issa
u
Gu
inea
C
had
N
iger
ESA SSA eHealth eHealth Regulation Combined Readiness Scores
Summary Report: Study on Regulatory Aspects of eHealth Page 23 of 37
ESA Tender AO/1-6936/11/NL/AD
The ranking includes all 48 SSA countries. It uses data from the RRM for each of ESA’s four eHealth categories of eCare, eLearning, eSurveillance and eAdministration/eGovernance.
Ten countries comprise the ready group of countries. They are Mauritius, Botswana, Seychelles, Senegal, Uganda, Ghana, Namibia, Cape Verde, Kenya and Rwanda.
Seventeen countries score above the mean of 3.25 plus one standard deviation of 1.17. These are shaded green. Ten countries scoring above the mean plus one standard deviation are shaded pale green. Countries scoring below the mean are shaded beige.
Figure 11 compares the ten ready countries with the five good practice countries and all the SSA countries. The ten ready countries are much closer to the good practice countries than all SSA countries, revealing a considerable difference between the ten ready countries and the other SSA countries.
Figure 11 Comparison of Percentage Coverage of Six Regulatory Aspects by Five Good Practice
Countries, Ten Ready SSA Countries and All SSA countries
8.5 General issues in all countries
There are several common issues from the readiness ranking and private research by TinTree International eHealth that are found in all SSA countries. These are summarised below and except for mHealth, not included in the SWOT to avoid repetition.
A common feature is the continuing growth in mobile phone use. This had created the consequent development and potential of mHealth. mHealth regulation is a significant matter for all SSA countries and an important component of the SWOT. mHealth regulation
0%
10%
20%
30%
40%
50%
60%
70%
80%
Data and information
storage
Access to data Data communication
Technology User data Provision of eHealth services
Average
Comparison of eHealth Regulation Coverage of Five Good Practice Countries, 48 SSA Countries and Ten Ready SSA Countries
Five good practice countries Ten ready SSA countries 48 SSA countries
Summary Report: Study on Regulatory Aspects of eHealth Page 24 of 37
ESA Tender AO/1-6936/11/NL/AD
is a combination of telecommunication regulation for matters such as devices, competition and prices, and eHealth regulation for the health data used in mHealth. Given the important issue of affordability, need for explicit relative priorities, the growth in, and opportunities of mHealth create challenging impacts for eHealth regulation.
The results of the study show that generic eHealth regulations are needed across the whole eHealth domain. Regulations for high priority topics such as privacy, data integrity, confidentiality, standards and security apply to all four of ESA’s eHealth categories. Segmenting these for each category dilutes the initiatives needed by ready countries to step up their eHealth regulation scope. Therefore, the SWOT is for eHealth as a whole, not specific eHealth items.
An important finding from the SWOT for SSA countries is the weakness that each country needs to establish an eHealth regulator and develop working links with the ministry of justice, ministry of technology and other regulators. This leads on to the associated requirements of processes, organisations, affordability and budgets for eHealth regulation. Without this, progress on developing eHealth regulation can only be limited at best.
Common weaknesses are that all countries need to:
Establish processes, organisations and resources for eHealth regulation, then develop their eHealth regulations, creating a demanding workload that cannot be achieved in the short term
Establish an eHealth regulator and develop working links with the ministry of justice, ministry of technology and other regulators and deal with affordability and budgets
Develop their coverage of RRM eHealth regulatory sub-aspects
Develop generic regulations for eHealth that draw from existing regulations such as data protection, telecommunications and cyber-crime prevention
Increase the use of ICT security tools, facilities and protocols
Develop the limited skills in eHealth regulation.
The eHealth workshops identified the weakness of no, or limited processes, organisations and resources for eHealth regulation. Without these components in place, countries are unable to develop and implement specific eHealth regulations. Where they are in place, countries reported severe limitations of resources for eHealth regulation.
Discussions with health ministers and senior civil servants as part of the Commonwealth Secretariat’s eHealth initiative identified affordability as the main constraint in eHealth investment. Their views are different to ESA’s, which sees an adverse or weak regulatory environment that may appear to be the showstopper for eHealth implementation and operation.
Limited affordability underpins all eHealth initiatives in SSA, but may impact unevenly. mHealth offers more scope for expansion.
Common opportunities include:
Scope for SSA countries to work collaboratively with their RECs, the AUC and WHO-AFRO in order to tackle common challenges efficiently, learn from each other and develop national capacity and capabilities for eHealth regulation.
Summary Report: Study on Regulatory Aspects of eHealth Page 25 of 37
ESA Tender AO/1-6936/11/NL/AD
Common threats are:
The scale of change needed for major improvement may not be affordable due to the lack of additional resources for healthcare
The time needed to develop and approve eHealth legislation, and identified as at least ten years by the eHealth regulation workshop
ICT security standards and facilities are prevalent for all SSA countries, as they are for all countries globally.
The regulations identified by the study were shown to be general principles that apply to all types of ICT, including eHealth. This principle avoids regulations that need rewriting to keep pace with developing and changing ICT and eHealth, especially the increasing reliance on mHealth in SSA. These generic foundations for regulation lead to stable eHealth regulations that apply to all four of ESA’s eHealth categories equally, without the need for specific, changing regulations. Examples are regulations for privacy, confidentiality, data integrity and security. These apply to and cut across all eHealth categories and sub-categories. The SWOT findings also apply to all types of eHealth.
9. The roadmap for ready countries
This roadmap is for SSA countries judged to have eHealth regulatory environments sufficiently fertile to be ready to adopt, totally or partially, the regulation of eHealth services in the short to medium term. Short term is up to two years, medium term is up to five years. It draws findings from the study to illustrate the regulatory requirements needed for new eHealth services in those countries judged ready to do so. It is a roadmap showing all the necessary steps from legal and social perspectives over the short to medium term.
Countries designated by the study as ready for eHealth regulation are Mauritius, Botswana, Seychelles, Cape Verde, Ghana, Senegal, Rwanda, Namibia, Kenya, and Uganda.
Reports from the RRM and the eHealth RRI show that each ready country has:
A different set of operational eHealth services
Some required eHealth regulatory aspects already in place
Gaps in the required eHealth regulatory aspects.
Dealing with these differences needs a generic set of roadmap principles, including required consultations and new structures. This is supplemented by specific country actions needed to develop the eHealth regulatory environment. This approach is supported by one of our advisory board members when advice was sought on the roadmap. Prof Maurice Mars of the University of KwaZulu-Natal said:
“As you know I am not a fan of a one size fits all template approach. I think that if you can fashion the roadmaps based on where a government wants to get to with an eHealth solution and founded on the principles of thorough needs assessments and I include clinical, technical, human resource and regulatory needs, leading to a decision to either continue or review the goal, leading to the development of a business case followed by a further review
Summary Report: Study on Regulatory Aspects of eHealth Page 26 of 37
ESA Tender AO/1-6936/11/NL/AD
and then the development of the appropriate plans, including change management, to achieve the goal.”
The roadmap for ready countries has two parts:
A generic part describing the principles, consultations and structures required for ready countries to move forward
A country-specific part showing the regulatory aspects in place, the aspects that are missing to cover existing eHealth services and the aspects that need addressing to expand eHealth services and priorities for an action plan to address the gaps in the regulatory aspects.
9.1 Roadmap method for the ready countries
A roadmap provides a clear future objective and answers the critical questions: why, what, how and when? These questions define and explain a clear action plan for reaching the objective. This creates four parts to a roadmap:
The first part defines the roadmap’s domain, the objectives, and strategy for achieving those objectives; the why question of a roadmap. The roadmap's definition and strategy often include market and competitive assessments as well as planned applications.
The second part defines direction, or the team's plans; the “what” question of a roadmap. The direction includes challenges, the architecture and evolution of the team's solution, and measurable performance targets to achieve the objective.
The third part describes the evolution of technologies needed to achieve the objective; the “how” question of a roadmap.
The fourth part defines the timing of the required actions; the “when” question of a roadmap. The action plan identifies key development actions, resources required, risks, and technology investment strategy.
The SMART concept is used during the implementation of this roadmap:
S Specific about what has to be achieved, so not ambiguous, and communicate clearly;
M Ensure results are measurable, with clearly defined outcomes such as key performance indicators (KPI);
A Make sure that proposed actions have appropriate and achievable outcomes R Check that actions are realistic, taking account of time, ability and finances; T Make sure it is time restricted in a realistic and achievable time frame, with set
deadlines, milestones and progress checks.
The ten ready countries show different characteristics across the three component indices of RRM, ITU-WHO and healthcare spending. It is important to reflect these differences in the roadmap.
9.2 Essential roadmap activities
With the emphasis on developing processes, organisations and resources in the first two years, the activities include:
Summary Report: Study on Regulatory Aspects of eHealth Page 27 of 37
ESA Tender AO/1-6936/11/NL/AD
Engagement with core stakeholders to agree on the goals of eHealth regulations and each step ahead
Identifying and agreeing the top priorities and scope
Preparing draft regulations
Describing all the necessary authorisations, commitments, constraints, licenses, requirements and qualifications required by the applicable regulatory environment and the specific time scales needed to obtain them
Consultation, initially on structures and draft regulations with all the relevant recognised authorities
Describe and justify the arrangements needed to approach them as part of the engagement methodologies needed for successful change programmes
Implementation arrangements for structures and drafts
Arrangements and practices for compliance reviews and enforcement.
9.3 eHealth regulation action plan
This deals with questions of what needs to be in place to develop eHealth regulation in the short to medium term. There are several choices, and decisions depend on each country’s start point, context, priorities and eHealth strategy. Each country’s overall direction should build on its current eHealth investment and eHealth regulatory environment then converge on its medium term eHealth strategy, priorities and investment plan. These range across eCare, eLearning, eSurveillance and eAdministration/eGovernance, with the emphasis possibly changing as countries move from their existing eHealth profile into the future.
The countries chosen for the short term roadmap have the highest RRM position in the RRI. Some important first steps to be taken in order to enhance the eHealth regulations are:
Review the eHealth regulation aspects with no coverage scores in all 64 sub-aspects provided by the RRM
Review the quality and rigor of sub-aspect regulations that are in place
Security is an increasing concern and can support other sub-aspects, such as logins and access.
As eHealth becomes more expansive and integrated, it is likely that the transfer of data within and between ESA’s four eHealth categories increases. This may change the regulatory priorities, with an increase on regulating the transferring of, or access to, data over networks. This is consistent with increased data sharing found in interoperable electronic patient records (EPR) and health records (Dobrev 2010). In this context, each country should be clear about the eHealth regulation priorities that it intends to address over the medium term.
9.3.1 eHealth environment
To set the direction for eHealth regulation, each country should set out its eHealth environment as:
Current eHealth services
Financed, planned eHealth services over the short to medium term and ready for implementation
Summary Report: Study on Regulatory Aspects of eHealth Page 28 of 37
ESA Tender AO/1-6936/11/NL/AD
Other planned eHealth services over the short to medium term
Types of eHealth services for eCare, eLearning, eSurveillance and eAdministration/eGovernance.
This profile of eHealth investment into the future provides the context and requirements for eHealth regulations.
9.3.2 eHealth regulations needed
Two main types are general and specific. A simple example for general eHealth regulation is an overall direction that secures improved:
Privacy, a right that peoples’ health data will not be used to observe, monitor, or disturb them without their consent
Confidentiality, a right that health workers and healthcare organisations are entrusted with patients’ data and will keep it secret
Data quality and integrity, where data is accurate, timely, complete, and reliable
Access to, and sharing of, patients’ data by health workers for the benefits of patients
Security, electronic and physical
Accreditation of eHealth suppliers for procurement, implementation, and operation
Standards, including interoperability, architecture, functionality and data definitions for implementation and operating eHealth services.
Some of these, such as privacy, confidentiality, and security, may already be included in telecommunications and data protection regulation as part of the eHealth regulatory environment.
Simple examples of specific eHealth regulation may deal with activities such as:
Sharing patient data between GPs and hospital doctors for treating current patient conditions and using selected international standards and secure computers and networks
Transferring clinical data from GPs and hospitals to eSurveillance services using international standards and secure computers and networks
Protocols for anonymising and de-identifying types of patient data from GPs and hospitals for healthcare managers to use in planning and resource utilization studies.
These lead to a set of decisions for the direction of eHealth regulation:
What eHealth regulations do countries needed now?
What eHealth regulations do countries need in the short term to medium term?
Why do they need them?
What do they need to introduce them?
From these positions, countries can develop the direction of their eHealth regulation initiatives. They can also develop their arrangements for eHealth regulation enforcement. Before these are set, it is essential that they are dealt with by engaging key stakeholders. These include associations representing patients and citizens, healthcare professional bodies, healthcare entities, eHealth suppliers and other ministries.
Summary Report: Study on Regulatory Aspects of eHealth Page 29 of 37
ESA Tender AO/1-6936/11/NL/AD
9.4 eHealth regulation challenges
The current position, opportunity and challenges in SSA are:
Introduce enough regulation so that acceptable standards are maintained and innovation is not stifled, which is a decision that each SSA country must take as more of a judgement for themselves rather than just an analysis or relying entirely on the RMM
Governments, especially the Ministries of Health, should set a few generic principles in place, leaving eHealth regulators and HPOs to deal with details and contexts
Compliance should be affordable for HPOs, so does not take resources away from eHealth initiatives
Enforcement should be costly enough to encourage users to comply, but not too costly that it causes financial and affordability problems
Affordability and financing eHealth regulation and eHealth
Collaborate with existing regulators, such as telecommunications, data protection and cyber-crime prevention to build on the current eHealth regulatory environment
Can eHealth regulators match the pace of eHealth change that brings more smart phones, tablets and other mobile devices into use in healthcare?
Using mobile phones in healthcare has specific challenges that are not often part of eHealth initiatives. For mHealth, some specific challenges include:
What types of devices should HPOs allow and support?
Should healthcare professionals use their personal devices or must they use ones issued by their HPOs?
Are mobile communications secure?
Are there documented policies and procedures governing mobile device usage? 1
The HPOs’ mobility strategies can extend across the use of smart phones, pagers, Wi-Fi phones and tablets. A survey1 in the USA found that a typical hospital supported some 67% of smart phones and pagers and about 49% of Wi-Fi phones and tablets in use. Only 34% of hospitals had a documented mobility strategy, and 31% are developing a strategy. Some 37% of hospitals said they had no plans for a mobility strategy. This is a vastly different finding compared to that of another survey2 from the USA, published at a similar time that found only 3% of HPOs have no plans to create a policy. Whilst the two surveys are not measuring precisely the same phenomenon, the difference is so great as to be difficult to reconcile. However, the difference does not dilute the common theme of the need for HPOs to have an effective, current mobile technology strategy. Of all the mobile devices in circulation, over half belong to users. This is the bring-your-own-device (BYOD) concept. Some 64% of hospitals in the USA support these. This phenomenon emphasises the need to regulate the links between telecommunications and healthcare data, so the need for telecommunications and eHealth regulators to collaborate continuously.
Evidence for simple legislation is that the RRM reveals the extremely wide range of eHealth contacts within an equally wide range of healthcare contexts. Attempting to legislate to
1 Survey Results: The Role of Mobility Strategies in Healthcare Amcom Software White Paper December 2012
2 2
nd Annual HIMSS Mobile Technology Survey Health Information Management Systems Society December 2012
Summary Report: Study on Regulatory Aspects of eHealth Page 30 of 37
ESA Tender AO/1-6936/11/NL/AD
regulate all these is not practical, likely to be incomplete, and will need revisions to legislation as healthcare and eHealth technology develops. From this, the apparent conclusion is the need for simple legislation with good principles building on the current eHealth regulatory environment.
Health workers are using mobile devices to improve the provision of direct healthcare. Some of the eHealth regulatory questions are:
Are the devices password protected?
Are password policies enforced?
Is remote data wipe-enabled?
Is mobile security software installed to protect against viruses or malware?
Are wireless networks secure?
Is data encrypted when it is transmitted?
Are passwords required to retrieve data containing electronic protected health information (ePHI)?
Are mobile applications safe and secure?
The Survey sees the solution as “Designing and implementing a comprehensive mobility strategy is a critical step in securing patient privacy and enhancing patient safety in the age of portability”.3
Balancing regulation and freedom to invest so regulation is not a constraint to eHealth initiatives
9.5 Decisions for eHealth regulation
The main types of decision for eHealth regulation are:
Who is the eHealth regulator?
Legislation and regulations approved by legislature – simplified and generic, not detailed and specific, such as rights and obligations for privacy, confidentiality, data quality, security and standards.
Detailed and specific for entities adopting eHealth so they know where to look in the healthcare and eHealth processes to achieve regulatory compliance.
Detailed and specific for regulators to know where to look in the healthcare and eHealth processes to achieve regulatory review and enforcement.
Actions and changes needed by HPOs to comply with eHealth regulations.
This leads to the need for two roadmaps: one for eHealth regulators and one for HPOs that have to comply within the resources available.
9.6 Action plan for eHealth regulation
Legislation and regulations rely on principles and concepts, and so need limited detailed information. This needs new, detailed, specific information that the RRM can provide, and this is a dependency. The action plan items are in chronological order. Each action is
3 Survey Results: The Role of Mobility Strategies in Healthcare Amcom Software White Paper December 2012
Summary Report: Study on Regulatory Aspects of eHealth Page 31 of 37
ESA Tender AO/1-6936/11/NL/AD
dependent on the previous actions. It has two timescales, short term of one and two years, and the medium term of three and five years, as shown in Table 4.
Table 4: Generic eHealth regulation action plan for ready countries
ACTION PLAN
No. Specific Actions Specific Actions
Dependencies
People and Teams for The
Actions Timings
1. Health minister and permanent secretary appoint the eHealth regulator within the ministry of health, possibly a temporary role. Create eHealth organisations and expand the processes and resources for eHealth regulation.
Prioritisation of eHealth regulation by health ministries
Health minister and permanent secretary
1-2 Years
2. Link with other ministries and other regulators for telecommunications, data protection and cyber-security and set up a multi-disciplinary eHealth regulation team
Prioritisation of eHealth regulations by related ministries
Health minister 1-2 Years
3. Identify and secure sustainable finance for regulation, including resources needed to train regulators
Prioritisation of eHealth regulation by health ministries
Recognition of positive socio-economic return from eHealth investment
eHealth regulator
1-2 Years
4. Start engagement with stakeholders and users, including professional bodies, healthcare provider organisations and suppliers, including formal consultation on new eHealth laws, decrees and regulations
Stakeholder support eHealth regulator
1-2 Years
5. Review eHealth regulation sub-aspects with no regulations against RRM and global good practice benchmarks to test for quality
Secure resources for review
Access to RRM
eHealth regulator
1-2 Years
6. Review existing regulations against RRM and global good practice benchmarks to test for quality
Secure resources for review
Access to RRM
eHealth regulator
1-2 Years
7. Check against global good practice benchmarks and current eHealth, planned eHealth projects for regulations that are needed, including expanding eHealth on mobile phones, cloud computing, BYOD and social media
Secure resources for review
Access to RRM
eHealth regulator
1-2 Years
8. Review eHealth security and link with national security initiatives.
Secure resources for review
eHealth regulator
1-2 Years
Summary Report: Study on Regulatory Aspects of eHealth Page 32 of 37
ESA Tender AO/1-6936/11/NL/AD
ACTION PLAN
No. Specific Actions Specific Actions
Dependencies
People and Teams for The
Actions Timings
9. Compliance reviews – these can start immediately
Secure resources for reviews
Develop expertise for reviews
eHealth regulator
1-2 Years
10. Actions to ensure compliance with existing regulations
Secure commitment of stakeholders to change
eHealth regulator
3-5 Years
11. Draft legislation and decrees as needed
Political priority of government for legislation
eHealth regulator, ministry of justice and ministry of technology
3-5 Years
12. Pass laws and decrees
Political priority of government
Minister of health
3-5 Years
13. Implement laws and decrees, such as training, dissemination, standards, procurement
Secure resources and expertise for change
eHealth regulator
3-5 Years
14. Draft regulations needed Develop expertise for regulation drafting
eHealth regulator, ministry of justice and ministry of technology
3-5 Years
15. Pass regulations, through the relevant country’s law making processes
Political priority of government
Minister of health and permanent secretary
3-5 Years
16. Segment the regulations between healthcare provider organisations and suppliers
Develop expertise for regulation
eHealth regulator
3-5 Years
17. Decide which healthcare providers are regulated – start with public system move onto private, NGOs and continue with faith-based
Develop expertise for regulation
Health minister and permanent secretary
3-5 Years
18. Decide which suppliers are regulated and the licences and accreditations they need
Develop expertise for regulation
Gain stakeholder support
eHealth regulator
3-5 Years
19. Implement regulations, such as training, dissemination, standards and procurement
Develop expertise for regulation and change
eHealth regulator
3-5 Years
Summary Report: Study on Regulatory Aspects of eHealth Page 33 of 37
ESA Tender AO/1-6936/11/NL/AD
ACTION PLAN
No. Specific Actions Specific Actions
Dependencies
People and Teams for The
Actions Timings
20. Monitoring and evaluation of progress at end of years 1, 2, 3, 4 and 5
Develop expertise for regulation monitoring
eHealth regulator
3-5 Years
21. Implement findings from monitoring and evaluation
Develop expertise for regulation implementation
Gain stakeholder support
eHealth regulator
3-5 Years
22. Reset the action plan for years 6 onwards Develop expertise for regulation
Gain stakeholder support
eHealth regulator
Year 5
Simple examples of short-term strategies to facilitate the smooth implementation and operation of new eHealth services that comply with the existing legal and socio-cultural environment include:4
1. Extend the existing eHealth regulatory environment of telecommunications and data protection acts and regulation into eHealth regulations
2. Develop and approve health legislation to include the requirements of modern eHealth, including privacy, confidentiality, data quality, health workers access to and sharing of patient data, security, standards
3. Set up an independent eHealth regulator that engages continuously with healthcare professions, healthcare entities and eHealth suppliers
4. Empower the eHealth, telecommunications and data protection regulators to collaborate and work together
5. Give the eHealth regulator power to deal with the eHealth market to avoid market disruption, accredit eHealth suppliers, ensure patient and consumer interests are protected, create and safeguard effective competition and prevent anti-competitive practices
6. Routine accountability to government, the legislature, citizens, healthcare professionals and eHealth suppliers
7. Ensure that eHealth regulation does not diminish the opportunities to invest in new eHealth initiatives
8. Ensure that eHealth suppliers are accredited to meet each country’s eHealth needs.
9.7 Risk assessment for average rated countries
The first step in regulation risk mitigation strategies is to appoint an eHealth regulator. Without this, no one can begin the required actions needed to develop and improve eHealth regulation. From this, following and resourcing the steps in the roadmap within the
4 Legal and Institutional Aspects of Regulation Module 6 ICT Regulation Toolkit Telecommunications Management Group, Inc.
Summary Report: Study on Regulatory Aspects of eHealth Page 34 of 37
ESA Tender AO/1-6936/11/NL/AD
proposed timescales mitigates the risks. The extent to which this mitigates risk depends on the availability of finance and capacity of regulation skills available to the eHealth regulator.
At the eHealth regulation workshops, affordability and budgets were identified as major constraints to progress. In addition, timescales that exceed five years are typical for new legislation. These indicate a very limited degree of mitigation over the medium term. It is not justified to propose significant risk mitigation before five years.
An assessment of the exposure to risks of the adoption and operation of eHealth services from a regulatory perspective uses the TinTree Risk Assessment Model. This helps to identify, locate, and categorise risks associated with eHealth regulation. The risk factors are:
Total regulatory aspects not covered as shown by the RRM
Limited prevalence of developed regulations
eHealth Regulatory Body not in place
Availability of people with Certified Information System Security Professional (CISSP) qualifications
Extensive BYOD use
Extensive cloud use
Extensive social media use
Few links with ministry of ICT
Few links with ministry of Justice
Few links with telecommunications regulator
Few links with data protection regulator
Few links with cyber-crime prevention regulator
ITUWHO eHealth development index score.
Figure 12 Estimated eHealth Regulation Risk Exposure of Ten Ready Countries
0%
20%
40%
60%
80%
100%
Good Practice
Botswana Cape Verde
Ghana Kenya Mauritius Namibia Rwanda Senegal Seychelles Uganda
ESA SSA eHealth Regulation Study Estimated Regulation Risk Exposure
Summary Report: Study on Regulatory Aspects of eHealth Page 35 of 37
ESA Tender AO/1-6936/11/NL/AD
Most SSA countries have high scores on some of these risk factors, especially the lack of eHealth regulators, so very limited stakeholder engagement contributing to high risk exposure because there is no one who can deal with the activities and implement the measures needed to mitigate risks.
The estimated risks exposure of the ten ready countries is shown in Figure 12.
10. The roadmap for other countries
This is similar to the roadmap for ready countries but with two major differences.
First, these countries tend to have lower levels of eHealth investment
Second, the pace of eHealth regulation in SSA countries needs to match changes in eHealth investment in order to close the gap with good practice.
This complies with the principle that eHealth regulation tends to follow eHealth. At best, it can fit alongside eHealth and be integrated with these initiatives.
Because the level of eHealth regulation is much lower than in the ready countries, the other countries will need more time to review and develop their eHealth regulatory processes, organisations and resources. This could take at least three years.
11. The eHealth regulation workshops
The two workshops, the first in Botswana, the second in Ghana, had three major objectives:
1. Provide countries and RECs with an overview of the eHSA Programme and a description of the study on regulatory aspects and RRM
2. Enable participants to consider how they will go about preparing action plans and setting priorities to develop and introduce eHealth regulation, such as legislation, regulations and regulatory bodies needed to set out on a development path for their eHealth regulation
3. Promote a uniform approach to eHealth regulation among regional stakeholders, RECs and countries that advances their policies and strategies.
The first eHealth regulation workshop was for Botswana, Mauritius, Mozambique and Namibia. The second was for Ghana, Kenya, Rwanda, Senegal and Uganda.
In Botswana, WHO-AFRO’s participation made a valuable contribution. Country representatives raised the important aspect of realistic time frames. Botswana reminded participants that it can take from five to ten years to develop and pass legislation.
Whilst each countries eHealth environment is unique, there are common challenges for eHealth regulation, such as:
eHealth security
Lack of regulatory body
Lack of resources
Lack of eHealth specific legislation
Summary Report: Study on Regulatory Aspects of eHealth Page 36 of 37
ESA Tender AO/1-6936/11/NL/AD
Skills shortage
Sustainability.
Country suggestions for moving forward:
Regional cooperation
Establish a learning network.
In Ghana, AUC participation provided a valuable contribution. It provided critical oversight and insight into the AU’s eHealth plans and strategies and provided a clear way forward for countries and the Greenfield Management Solutions (GMS) consortium alike. The AUC participants emphasised the need for political support, without which the study and the eHSA programme would have little impact.
The AUC participants agreed to share the study outcomes with the heads of states at their next meeting in Addis Ababa. This top town approach will place eHealth regulation as a priority on the agenda of all AU member states and make member states accountable to each other as well as the AUC in terms of their eHealth regulation development and its contribution to overall eHealth strategy.
Countries agreed that structured regional cooperation will be vital in order to strengthen eHealth development and implementation.
The importance of a business model and business case behind eHealth regulation was raised by both international stakeholders and countries alike. This would encourage investment by private companies and ensure sustainability in the long run and contribute to:
A deeper understanding of the study on regulatory aspects and the overall eHSA programme
An insight into their eHealth regulation status and ranking
An understanding of the RRM and an appreciation of how they can use the RRM to strengthen their eHealth regulatory environment
The need to collaborate with stakeholders, such as ministries of justice and ministries of technology
Ensuring realism of the medium-term timescale needed to begin to develop eHealth regulation
Countries starting to prepare action plans and narratives for their next steps
New eHealth initiatives that may require a review of their regulations – this is a continuous process.
At both workshops, countries’ responses were encouraging and the enthusiasm with which delegates engaged with the study team was constructive. GMS will continue to work with countries to help them develop regulation action plans to strengthen their eHealth regulatory environment.
The study team will also work closely with the international stakeholders that attended the workshops: the AUC, WHO-AFRO, NEPAD Agency and the AfDB. Their support is crucial for continued success and dissemination, and will ensure that the practical benefits which the study and eHSA programme has to offer are realised.
Summary Report: Study on Regulatory Aspects of eHealth Page 37 of 37
ESA Tender AO/1-6936/11/NL/AD
12. Conclusions
There are three critical findings from the study. The first is that eHealth regulation in the SSA countries lags behind the good practice countries by some 45%. The second is that ten SSA countries, about 21%, are closer to good practice countries and are more ready for eHealth regulation than the other SSA countries. Third, at the eHealth regulation workshop it was determined that these ready countries need about five years to assemble eHealth regulation priorities, processes, organisations, resources and legislation. Taking all three findings together, it shows that eHealth regulation is a long-term initiative for SSA.
Developing eHealth regulation that addresses these findings is not a short-term activity. It needs to be sustainable for the long-term. There is a clear momentum emerging among the ready countries to adopt eHealth regulation. Countries are willing to collaborate, which, when coupled with the commitment of the AUC, WHO-AFRO and NEPAD to support eHealth regulation as part of their own strategies, has led to the appearance of considerable constructive potential. Examples of activities required to unfold this potential include:
Prepare robust cases for eHealth regulation
Set eHealth priorities
Share materials on legislation and regulations
Compare experiences on compliance reviews
Develop skills, capacity and capabilities
Share progress with other countries.
To support this, GMS is establishing a web based platform for sharing information about eHealth in Africa, which will be developed and sustained in the short term by GMS non-profit partner, TinTree International eHealth Leadership and Development Network at www.ehna.org.